Nokia, the cellphone manufacturer, has been listening in to all encrypted communications from its handsets. Every connection advertised as secure – banking, social networks, dating, corporate secrets – has been covertly wiretapped by Nokia themselves and decrypted for analysis.

Security researcher Gaurang posted an article on January 5 about some unexpected behavior with their Nokia handset. It would appear that the browser traffic from the handset would get diverted through Nokia’s servers.

Then, a followup article on January 9 dropped the bomb, and the article goes into quite technical detail: It wasn’t enough that Nokia diverted all traffic from its handsets through its own servers, it also decrypted the encrypted traffic, re-encrypting it before passing it on, issuing HTTPS certificates on the fly that the Nokia phone has been instructed to trust as secure.

This means that Nokia has deliberately been wiretapping all traffic that has been advertised as encrypted on Nokia handsets – including but not limited to banking, dating, credit card numbers, and corporate secrets – and looking at your secrets in cleartext.

This means that Nokia puts itself between your bank and you, and presents itself as YourBank, Inc. to your phone. This wouldn’t normally be possible, if it weren’t for the fact that the phone had been specifically designed for this deceptive behavior, by installing a Nokia signing certificate on the phone.

Nokia has confirmed this behavior in correspondence with TechWeek Europe (my highlights):